So anyway, our talk is on what we call BYO disaster and why corporate wireless security
still sucks. A little bit about us. My name is James. I also go by Punk and Poop online
back in the old IRC days and stuff. Independent security researcher, just an all‑around
nerd, boring guy. And with me I have Josh Hoover here, the guy that pooped today.
That's fine. I'll switch over here. Yeah, I'm Josh. I've been coming to DEF CON since
‑‑ well, since I had hair. And some of my friends over here were just starting to
grow hair. So we've been here for quite a while. Privileged to be here. Thank you for
coming to our TBA talk. This picture that Jim selected of me is supposed to be kind
of a joke. Did you guys read our profiles at all online? You probably can't see it in
the book. But I'm sure you can see it. I'm sure you can see it. I'm sure you can see
it online. Anyway, there's a funny profile I wrote for Jim and this is his way of getting
back at me. I told him to pick any random picture he could find on Facebook. So that's
the evil one he picked of me. So anyways, at the end of the day, we're
just nerds with random ideas and inconsistent results. That's been the story of our lives.
So what we're going to talk about today is we're going to show you some ways to obtain
clear text credentials without cracking a single hash.
There's been a lot of research and work in the past that has involved gathering hashes
and cracking them offline using brute force dictionary attacks and those kind of things.
We're pretty lazy. We don't have time or want to spend a lot of time cracking hashes.
So our whole thought was to come together and try to find an easier way, a faster way
of capturing clear text credentials to gain access to networks. Secondly, we're going
to release a tool that kind of automates the whole process. We're going to release a tool
that does things for you right out of the gate really fast. So if anybody's done these
attacks in the past to set up the interfaces and all that, it can be kind of time consuming.
So we've kind of automated that whole process for you.
How we're going to do this is we're going to explore a new functionality issue, and
I'll get into that more later, that we found with how IOS and OXX devices are handling
MS Chat V2. Secondly, we're going to demonstrate the use
of EAP GTC.
So I'll go ahead and give it to Josh here, and he's going to kind of take you through
some of the technicals for MS Chat V2.
So how many people here show of hands that have ever set up a WPA2 enterprise network
or know the ins and outs of that?
You shouldn't, but, yeah, anyway. That's great.
That's what that guy said right there.
So looks like there's a fair amount of you that haven't yet, so I'm going to kind of
go over some of the technical details on exactly what our research was looking at.
I'm sure most of you have set up a WPA2 personal at home, where you set a pre‑shared key
of some kind and you gave it a SID and you connected to it and you knew what the password
is and you signed into it. Basically, WPA2 enterprise just adds one extra component to
that, usually a back‑end authentication server of some kind.
In this particular instance, it's the radius server box you see on your right, I guess,
of the screen. And that just adds another layer of authentication, so you can authenticate
every single client that connects to your network instead of just having one key that
you would use maybe at your home network. So you have a client that you see there on
the left, an AP in the middle, and then we're adding an extra component for WPA2 enterprise,
which is the authentication server. In this particular instance, it's going to be a radius
server, but there are other ‑‑ there's other options there for different kinds of
servers, but this is what we were centering on for the MS Chat V2 and GTC stuff. And it's
a lot of what you'll see in ‑‑ you'll see a lot of what we're centering on for the
enterprise‑level networks, and crazy people like us like to run this kind of thing at
home for some weird reason. So what's the first thing that happens when
you connect to an AP, right? I mean, most people are familiar with that, right? You
pick your SID and you connect right up to it. You pick your network name there, and
that's pretty easy. So I'm going to blow your mind with technical details here, right? Association
stuff. I'm not going to really go into that portion of it, but it's worth mentioning
that this is the first layer of attack for a lot of people that want to set up what's
called an evil twin.
And basically what you're doing is you're mirroring the exact same SID that your target
is using and hoping that clients will connect to you instead of to the actual AP. And so
that's the first layer of attack called the evil twin. And that has to do ‑‑
This could get dangerous.
Double!
These guys are going to be very angry at me because I actually don't drink, so.
Drink!
Then your co‑speaker has to drink, too.
Yeah, Jim's got to drink double because I can't drink, so. You guys can throw things
at me instead if it makes you feel better, though.
We've got to drink all of them?
Yes.
No way.
We're here to help.
Here's for you. Here's for your co‑speaker.
You know how many times in my career I've had to take one for the team for this guy?
And also, as you may be familiar, raise your hand if this is your first FCon.
Why is it everybody's new?
Wait. Why were you pointing at him?
All right. You. Get up here.
That's her first FCon, too.
And the lady down here with the striped dress on.
I've got to suffer your suffering, too.
It's your first time speakers.
Wait, wait, wait. What are you doing? Hey! Hey! We don't have people up here. Where's
mine?
I thought you had some.
What?
Two more cups.
Oh, my God.
Three more cups.
Bear with us.
Yeah.
They know it was my first time.
Drink if you got one.
They know.
Did you make the PSA?
Did you pick it up from the bar?
Here, you can have this.
Oh, we didn't do the PSA.
I know it's a double. You get both.
No, we did not do the PSA.
Should I do it?
You can have it.
Single?
Should we take it double?
I tried.
What have we got?
Geez.
All right, everybody.
Come on.
We're actually out of cups.
All right.
To all of you newbies, welcome.
Thank you very much.
I'm sorry.
Your time is up now.
Bye.
Thanks for having us.
It's already coming out the other end.
I have no idea what I was doing.
Where am I?
Hi.
Did you drink one?
No.
So association stuff, right?
We've got the shots covered.
Okay.
So association stuff.
We're connecting to the evil twin.
Blah, blah, blah.
That's the first layer attack.
We're excited about that.
Let's move on.
So the next portion that happens in WPA2 personal ‑‑ I'm sorry, WPA2 enterprise is what's called
an EAP proposal.
So what's EAP?
EAP is extensible authentication protocol.
And basically that's just a fancy acronym.
Sorry.
It's just a fancy acronym.
For a methodology or a framework that's used for authentication of all kinds of services.
And this particular service is going to be Wi‑Fi.
So it just allows you to add username and password or certificates or one‑time password,
something like that to some kind of service.
So the first thing that will happen here in this portion is that the AP is going to request
an identity from the client.
The client gets a pop‑up on most clients that says nothing more than username and password.
That's all it says.
And that will be kind of important later.
Because at this point, we haven't really established exactly what kind of authentication
we're even using yet.
So anyway.
The client sends that over, doesn't actually send the password over yet, but does send
over the identity, which in this case is the username or some kind of log‑in name.
And this is another layer of attack that a lot of people like to use.
Because now you can just stop here if you wanted and just gather usernames all day long.
That's boring.
We want passwords.
We don't want to have to crack them.
We don't want to have to brute force it.
So that only gets us one step.
So after it sends it over to the RADIUS server, the RADIUS server says, okay.
That's good.
It's going to send over what's called a peep start.
So what's peep?
Peep is protected extensible authentication protocol.
And basically that's just a fancy way of protecting EAP.
So unfortunately, EAP by itself isn't inherently secure.
So if you were sending over hashes or whatever you're sending over using just regular EAP,
you can pick them up usually over the air.
Because at this point, there's no encryption at all at this point.
So you can pick up anything.
And so this is a way to protect that data.
And what peep does is it makes what's called an outer authentication and an inner authentication.
The outer authentication is not very fancy.
It's just an encrypted tunnel.
And the inner authentication is the actual user's or client's information.
So it's attempting to protect that information inside of an encrypted tunnel, which is great
if you're sitting on the outside and you're just sniffing it.
But if you're the evil twin, they're sending it all to you.
But you've got to make sure all this stuff happens, otherwise the client is going to
freak out and it's not going to send you its credentials and its goodies that you want
to get.
So you don't have to.
Goodies.
So what happens next?
So anyway, the outer authentication happens next.
This is, again, part of peep.
I'm not going to do a lot of technical details here.
It's TLS setup stuff.
So you guys can look up TLS if you're not familiar with it.
But there's a server search that's on the radius server that gets sent over and it establishes
a TLS tunnel in order to start sending over all the goodies, all the good authentication
portions of whatever you happen to do.
So after that, you go into the inner authentication portion.
That's inner EAP.
In this particular instance, we're going to be talking about MSCHAP v2.
Now, v2 differs from v1, and I'll explain that in a second.
But MSCHAP is generally used for NT or domain or whatever, Windows log in, so user name
and password.
It's a way to allow people to use that in order to log in to a wireless network.
So this is kind of important for a lot of enterprises out there because they want to
make it easy.
People don't want separate passwords or have to worry about key management or people want
to bring in their BYOD devices and just connect up to the network and this enables them to
use their normal log in that they would use on the corporate network.
So the first thing that happens in this inner authentication portion is what's called
oh, well, sorry, it just sends the identity again.
So it actually sends the identity again over to the RADIUS server, so it requests it and
sends it.
Yeah, great.
We've already got that.
That's something new.
So the first thing that happens from the RADIUS server, it sends over a challenge, an MSCHAP
v2 challenge.
Now, the client takes this challenge and takes its password and makes a hash from it.
And the ‑‑ then it sends it back to v2.
Now, an important part of v2 over v1 is that there's a dual authentication happening here.
Both the client and the RADIUS server want to make sure that each other actually knows
the password.
So the RADIUS creates a challenge and sends it over to the client and says, hey, here's
a challenge, use this challenge portion to create a password for me, a hash, and send
it back to me.
And the client says, okay, no problem.
I will take that challenge, my password, create a hash, send the hash over to you.
It's a hash.
There's lots of people here that can tell you how to crack those, but we're lazy and
we still consider that too difficult for our small minds.
So it will send that back over with an actual challenge of itself and say, okay, here's
my hash, but I want you to tell me that you know my passwords.
Here's my own challenge.
Take this challenge, hash it with whatever you think is my password, and send it back
to me.
So the RADIUS says, okay, if I do actually have your password, I'm going to do that.
And I'm going to take your challenge and send a response back to the client.
And at this point, the client is going to have a password.
The client looks at it and says, okay, does this match?
If it does not match, it's supposed to drop the connection at this point, which may or
may not happen as we see here going on.
But this is an important part of V1 versus V2.
Microsoft and Cisco specifically created this in order to try to circumvent some of what's
going on here and the attacks you'll see here in a second by making sure the client
says, well, I'll give you my hash, but I'm not going to connect until I'm sure you actually
know my password.
So again, if that does work.
And you�.
If the client does actually know the password, then the RADIUS server will take that.
It will make its actual response and say, okay, your password was successful.
Here's the response to your challenge.
The client looks at that and says, okay, you do actually know my password.
No problem.
Let's send over a success to the RADIUS server.
The RADIUS server says, great, we're all good.
Let's start our connection.
It sends over what's called an EAP TLV success.
The client acknowledges that and we're golden.
So the internet authentication has happened correctly.
Again, this is with MSCHAT V2.
So we�.
So what happens next is basically just an EAP success portion here.
We're installing some special keys onto the AP to start up the actual encrypted network
connection so they can get the rest of their IP address and everything that they need to
in order to get access to the actual network.
And again, I'll blow your mind here with some really fancy technical details, finishing
the connection stuff, right?
I won't really go into that.
But again, what we're really concentrating on here in our attack is the inter-authentication
portion because we want the password.
We want them to make the connection.
We want them to make a full connection to us so we need to convince them that we know
the password.
We want them just to send the password to us anyway.
And so this is where our research is really focused.
Now anybody who's done�.
How many people out here do security research?
Other than showing up to DEF CON, I guess that's considered security research, right?
So a few of you.
You're probably familiar with how difficult this can be, especially if you run into stuff
like this where you're trying to get a full connection and MSCHAT is just hitting you
in the face and saying, no, you can't have that connection and you try again and it hits
you in the face and whatever happens.
So we found this funny little video that kind of reminds us, some of you have probably
seen this before, kind of reminds us exactly what this feels like.
Yeah, it's not a whole lot of fun.
But, you know, she's okay.
So you'll be okay, too.
You know, you take a few hits in the face, you can get back up and she actually did get
back up and she had to finish this.
But anyway.
So that's a little overview, quick overview of the way that our research, exactly what
our research is looking at technology-wise.
Everybody loves that video.
All right.
I'm going to pass over Jim here and he's going to tell you about our actual first attack.
Thank you for sitting through all of that technical detail.
All righty.
So, you know, I have to say that I purposely only had like three drinks when I was coming
to this just to take the edge off.
So the crap that they just gave me just kind of pushed me over my edge.
So I'm going to do my best to get through these slides.
So anyways, the first attack.
We call it the iPoner because it's central around iOS and OX.
On the left side there you see it's a mobile device, a phone, and then on the right side
we have the actual radius server.
We didn't put the AP in the middle, but you can imagine there's obviously an AP in
the middle of this thing.
So we've ‑‑ the radius server is a patched version that we wrote that kind of puts the
exploit into there, kind of like what Josh Wright has done in the past with his patch
for radius for capturing hashes and cracking those off‑line, we kind of did the same
type of thing in a different way.
But anyways, the first thing that happens is the server challenges a client like what
Josh was talking about earlier.
The client gets that.
It's going to send its MS chap response back along with its peer challenge.
And that peer challenge is basically the client's way of authenticating the server
to itself.
It's basically to make sure that both people have knowledge of the clear text credentials.
So once the server gets that in response, it's going to look in its database and obviously,
as the attacker, we don't know what the user's password is at this point.
So we have two choices.
We can either tell them, cool, your password is good or, hey, your password is wrong.
So the first thing we tried, obviously, is we accept everything.
And if anybody has used the patches that have been out in the past, they've been designed
to say success for everything.
Any password you send it is going to send a success in response.
When we do that, the peer challenge doesn't match for all devices.
It looks it up in its database and says, hey, you're full of crap.
What you sent me back is wrong.
And typically it drops a connection or it sits in kind of a limbo state.
It won't actually establish a connection to the network, which is what we're after.
So we start over.
You know, we've actually tried a lot of things, but we're consolidating this into the one
that worked for your guys' sake.
But anyway, so we reject the password.
We just tell them, yep, what you sent me is incorrect.
So the server then sends a TLV success at the end.
So we tell the ‑‑ the user sends us his password, we send it back saying, no, whatever
you sent me is incorrect.
Expecting the client to drop the connection.
For some reason, IOS and OXX devices don't drop the connection.
So we follow that up with a TLV success, basically telling the client that everything is good,
we're going to go ahead and finish this connection and I'll send you a DHCP address and start
sending you network services.
OXX devices go, well, you know, I don't really know what this means, but, okay, cool, we're
good.
So ‑‑ right.
So the client sends us a TLV success.
They're ready for a DHCP address and everything else is going on.
So the client checks for a captive portal.
Another crappy thing about your IOS and OXX mobile devices, most devices, when you're
connecting to a secured wireless network, it knows that there's not a captive portal.
So there's no reason to send a probe out saying there's a captive portal there.
IOS and OXX devices don't do that.
They send that probe no matter what.
So what we do is we capture that probe and say, sure, there's a captive portal on your
secured network that you don't need.
And we forward that on.
So basically we send them the captive portal, which is an HTTP, right?
They type in their password again and we get it in clear text.
That's how the attack basically works.
We're very happy.
That's all right.
So we're not ‑‑ so from a user's perspective, you know, what does this look like from your
mobile phone?
So you get some manager that brings his personal phone to work and he wants to check his e‑mail
because he's late for a meeting, all that jazz, even though he knows it's not allowed,
but he doesn't care.
He's a manager, right?
So he pulls up his iPhone, he's looking at it, yeah, like Manny right here in the front,
Tony and Manny right here, like those guys.
Anyways.
So you got your MSCHEP test network, that's what we're calling it in this case.
So you select it.
It prompts you for your username and password like you're used to.
You type that in.
It's going to pop up a cert, right?
How many users?
Users always accept a cert no matter what it says.
It could say you're a douche bag on the cert and they'll say, okay, cool, I'll accept it.
So it really doesn't matter what you put there.
Most people just click okay.
So the next thing they see is this captive portal login.
You can make this login look whatever you want, but we just took a standard one.
So the very next thing pops up, oh, what the hell, I already typed it in, maybe I got my
password wrong.
So they type it in again and basically that sends us over your passwords in clear text.
This last screenshot is what it looks like from ‑‑
In OSX device, like your laptops, your Apple laptops, it actually tells you that you have
authenticated via MS chat V2 when obviously we just showed you that that's not accurate.
So at the end of the day, you're getting your clear text passwords.
You have a full man in the middle connection at this point.
So the sky is basically the limit.
You can do whatever you want with them at this point.
So a recap of basically the attack that we just went through.
So the supplicants on OSX and iOS devices.
They don't appear to be handling MS chat V2 properly.
They don't require that you send it as success or they're not paying attention to it for
whatever reason.
We don't really know.
But basically at that point so much for mutual authentication, right, MS chat V2 is there
specifically for mutual authentication.
In this case it's not working.
So we're bypassing that inter authentication mechanism.
We can say whatever we want at that point and we're just letting it go through and then
establishing that connection.
We're trapping a captive portal.
Probe request.
It's default sent by these mobile devices and just forwarding them on to our malicious
captive portal like you would if you were mimicking a hotspot network at Starbucks or
some place like that.
Not that we've done that, but just saying.
And then the users enter their credentials again and it's in HTTP so it's going to be
sent in clear text and we're there to capture them.
Oh, I love Apple.
So anyways.
I'm going to.
Or actually the next slide here.
So we'll talk about responsible disclosure.
Not to say first off responsible disclosure because Josh gives me crap all the time when
I tell him how I really feel about it.
But it's a good thing and we encourage people to do that.
It's kind of like telling a kid in elementary school that you're going to tell on him before
you tell on him.
Right?
He's in trouble.
I'm going to tell.
You know.
So whatever.
So anyways.
So here's how it went in this particular case.
So we found a new issue.
We're going to report it up the chain.
Typically what happens is, hey, I discovered this thing that exposes your back door and
I urge you to patch it before someone dumps a nasty payload in it.
Nobody's laughing because you guys don't have a sick sense of humor like me.
But anyways.
So that's what happens.
Then the sociopath, right, the corporate, because they really don't care, they don't
have a personality, their response is thank you.
Though you're probably wrong.
We will have some of our outsourced managers put ten cards on it right away and never get
back to you.
That's typically how it goes, right?
Actually in this case, they did respond with their generic message right away, so anyways.
So a month later, hey, can I get a status on, you know, that ticket I submitted, number
99, whatever?
And then you get a response, hey, me, Josh, 4379, I see not what you say.
I like gummy bears.
Ticket closed.
Basically meaning that whatever you just told us is crap and have a nice day.
It's okay.
Cool.
So this is their actual response that they sent back.
So basically they're telling us that it's nothing.
And then they tell us at the end here, hey, you know, why don't you try this GTC thing
because that will just send the shit to you in clear text.
So thanks, Apple.
So we're going to go ahead and start our next attack.
Wow, Apple.
Thanks.
All right.
Thanks.
I don't know what to say.
It's early Christmas.
I mean, I'm not sure what's going on there.
But with all this said, we actually were experimenting with GTC before they even said
anything.
But we just thought that was absolutely hilarious that they were giving us our next attack.
So what's GTC?
Well, GTC basically replaces the portion of the inner authentication that's MSCHAP.
And it was a protocol that was developed by Microsoft and Cisco for peep version 1.
And it was created basically for token cards and one‑time passwords.
So you guys have probably seen those secure ID cards.
You can kind of see them on the page there.
If you've ever worked for a major corporation, I'm sure you've seen something like this
or played lots of video games these days.
They're giving them out like candy these days.
It's very similar to peep version 0 with MSCHAP v2 except it doesn't have a peer challenge.
So a lot of it ‑‑ I'm not going to go over the whole interaction again because
it's all the same except instead of the dual challenge and all of that stuff, it just sends
over the one‑time password.
So it's similar in operation in that regard.
All right.
So you guys remember what I said about the clients not actually telling ‑‑ I'm sorry,
the server not actually telling the clients what kind of password and username it was
asking for?
Well, this is one of those areas where it might come in handy, right?
If your client just pops up and says give me username and password, you're like, oh,
that must be my username and password from my NT login, right?
Why wouldn't it be?
It doesn't say one‑time password.
It doesn't say give me, you know, your token card.
It just says, you know, give me your username and password.
And this is kind of a weird funky thing with clients we'll get into here in a second.
But think about how we can use that to our advantage, right?
I'm sure all your brains are turning there with that.
It's probably pretty obvious.
But let's take a look at it.
So this is our next attack.
It's called the peeping Tom.
Basically the same kind of setup.
There's an AP in here you don't see.
But you've got your client.
In this case it can be an Android or an iOS device.
The last attack was iOS only.
And just before I get into this attack, this doesn't invalidate MSChat v2 and I think
that's kind of what Apple was saying.
But if for some reason, you know, peep version one leaves or peep version two comes out and
people decide they don't want to support GTC or something anymore, Apple still hasn't fixed
their problem.
So that's still a valid attack vector.
Just because this is out doesn't mean another vector is not open.
Something about front doors and back doors and ‑‑ anyway.
So what happens with our first attack here is we replace the radius server with an attack
server just like the other one.
Exactly the same.
The server requests ‑‑ well, you do the identity thing right in the beginning
where it sends over the identity just like in MSChat v2.
The server says, okay, send me a one‑time password.
And again, the client has already interacted with the user.
So the client just for some reason is like, oh, okay, well, I've already got the password
that he entered.
Why not?
Let's send that over.
So the client responds with, sure, this is a GTC password.
Why not?
I just asked the client for username and password.
So the radius server obviously in this attack instance, we don't actually know the password.
So GTC fails and says no password for user.
We don't care.
You know, where the radius server is patched and it doesn't care what it gets, it's going
to send success anyway.
So it's a little short of the MSChat v2 but the server sends over TLV success anyway and
says, okay, you know, your password looks good.
And the client is like, sure, I trust you.
Why not?
I sent over the password.
I'm not authenticating that you know it.
It's a one‑time password.
Why would I do that anyway for a one‑time password?
And the client accepts and responds to TLV success and we have a full connection there
and a full connection is established.
At this point, we can do all kinds of things.
We already have a full connection.
We don't have the password which I'll show you in a second but you could use SSL strip
or any of your normal man in the middle attacks that you might want to do against a client
after you get him to connect to you.
And so once again, we're extremely excited, you know, and dancing because we got the client
to attach to us.
Okay.
Great.
Everyone's excited about that.
Yeah, yeah, yeah.
Jim liked his video better.
Peanut butter jelly time is old school, right?
Okay.
So what does the client look like?
Again, this works on iOS but I'm going to use an Android device because something different
happens here with Android.
See if you guys can catch on what it is that's missing from this that was in the MSCHAP attack
with the clients.
The first thing that happens is, right, DEF CON secure.
You guys all used the DEF CON secure network this weekend, right?
Yeah, right.
So that was MSCHAP v2, just saying.
Anyway.
Great.
So we connected DEF CON secure.
It's peep.
Awesome.
You know.
It just says identity on Android, but whatever.
Most people think of that as a username and password.
And bam, we're connected.
So what's missing here?
You.
Cert.
That's right.
There was no acceptance of the cert.
Our cert's bogus.
It's example.com or goofball.com or whatever, doucher.com.
Android doesn't actually ask you to accept a cert, which is interesting because that
means later there's no user interaction.
So this client interaction would change.
If they've already connected to the corporate network or DEF CON secure network and then
they connect to your evil twin, it's a different cert, but Android doesn't care, accepts it
anyway and just sends the password right on over.
Okay.
Awesome.
Right?
I mean, anyway.
Anyone see this this weekend at all on the DEF CON network?
Not one person?
Well, we saw it on a couple of people's networks.
Shameless plug for our TBA talk since no one had any idea that we were even in here and
what we were doing.
We basically took with one of my buddies down here that helped me, you can raise his
hand if he wants to.
That's a notoriety.
We basically took a Raspberry Pi and used our same attack tools in a slightly different
configuration and basically just set up a captive portal that any time somebody connected
to us instead of DEF CON secure, they got this captive portal page that popped up and
said, hey, Jim doesn't know about this yet.
This is a surprise for him.
I took a lot of his work to do this, but I was going to fill him in later, but he came
a little late.
That's convenient for you.
Yeah.
Convenient for me.
But, you know, promoting for us.
So anyway, that's what we were doing there.
So clear text anyway.
So where do we get the password in this particular instance?
We didn't have a captive portal.
Well, gee, Radius, it was totally awesome for you to put your clear text passwords in
your debug file for us.
Cool.
That's kind of weird, right?
But if you think about it, it's a one‑time password.
So if somebody sees it in a Radius debug, what does it really matter?
Well, unless it's an actual MS chat V2 password that somebody mistaken for a one‑time password.
Because, again, the way the clients are developed, and I know I keep going back to this, but
this is a big thing.
The way the clients are developed, they just ask you for username and password.
You don't have any indication on exactly what they're looking for.
So that's a big deal there.
And again, this is an actual screenshot from this weekend from the DEF CON secure network.
I've blanked out the passwords because I don't know why.
Who cares?
But I did anyway.
There's my test one in there.
That one's not blanked out.
But these ‑‑ I don't know if anybody notices their password.
We've got an MAA in there and a WGRETS user.
So that was from this weekend.
Just to show you another example.
I just want to say it had nothing to do with his attack that he did today or over
the weekend.
Sure.
Sure.
You say that now.
So let's talk about it.
Let's do a recap on exactly what happened here.
What does it work on?
So PEEP version 1 works on anything that GTC ‑‑ that PEEP version 1 works on natively.
So that includes things like iOS and OSX.
Again.
It works on your personal Mac computer or your personal device.
It works on Android, again, without a cert at all, which is a huge deal in these attack
environments because it just sends you that password right on over.
I don't care if it's a one‑time password.
Here's my goodies.
Unix, it will work.
But the user is really going to have a lot of interaction here.
They're really going to see what's going on a little bit more with, say, like Ubuntu
or something.
But I didn't do an exhaustive test on all of the different platforms out there.
But with Ubuntu, the attack would work.
But typically ‑‑ yeah.
I mean, I'm just going to say it outright.
Linux users typically have a little bit more about what's going on and why does that cert
say butthole.com instead of example.com or whatever it's supposed to.
Windows, there's no native.
Even though PEEP version 1 was developed by both Cisco and Microsoft, there's no actual
native support.
So somebody would have to install a supplicant or some kind of other software in order to
get PEEP version 1 in Windows to work.
But again, that wasn't really our focus.
Our focus here is, you know, execs or people that just want to bring in their phones or
whatever mobile device or whatever device they have.
They bring their own device, bring their own disaster kind of crap, and connect up
to the network because that's who they are and they can.
So that was really the focus here.
But again, it doesn't really work on Windows for once ever, right?
That's kind of a rare thing.
But whatever.
No captive portal required, right?
The man in the middle attack is trivial because it includes clear text passwords.
We don't have to do a captive portal.
We could.
In this instance, I use it to advertise.
But you could just serve them off to the Internet.
Or even more fun, you could have them connect to DEF CON secure and serve them off to regular
DEF CON.
Because that's fun.
Sorry.
Anyway.
Instant capture of MS chat V2 passwords on iOS devices after the user accepts the cert
from the evil twin.
So on iOS, you will actually have to accept the cert.
So it won't just happen in their pocket, right?
We were doing this with friends of ours that were around and kept sending their password
over and over and over again because they were on Android.
But if you're on iOS, it will actually pop up and say I don't recognize this cert.
And most people are like, yeah, I want my porn.
Give me access.
Okay.
So anyway.
So we're going to go into our demo here and the tool that we spent a lot of time on.
I'm going to hand it over to Jim because he's going to give you the intro and then we'll
pull the tool.
Cool.
You're going to pull it up.
So anyway.
So things you'll need to run this attack, you're going to need some type of Linux system.
We've used Ubuntu 12.04, both in the server and the desktop versions work great out of
the box.
So if you want to download those, you can.
A Wi‑Fi adapter is needed.
The alpha version there is the one that we've used.
The important thing is this.
We're using host APD in our tool set.
So as long as your card is supported by host AP, it should work just fine.
Our custom patch that we made, it just basically goes in and changes some of the modules built
into RADIUS, the PAT module and the MSChat module to send the right stuff over to these
clients and, you know, get them to establish the full connections.
So you want to download that.
And then the Loot Booty Wi‑Fi tools is just a tool set that we developed.
We're going to use that.
We wrote it in Ruby.
People always ask, well, why the hell did you guys use Ruby?
So Ruby basically, to me, it's like the canvas for people that can't draw because I suck
at coding.
So you can take a giant shit on the canvas and smear it around with your hands and it
always works.
And once you guys download the tool and you look at the code, you're going to go, now
I know why he said that.
Because he does suck at coding.
And I do.
I just have enough energy to make things work.
I don't do it right.
By any means.
Is that mic working?
Hello.
Yes.
Sweet.
So Josh is going to pull up our live demo here.
And we encourage you guys to try this, those of you that were not smart enough to turn
your phones off before you came in.
This is really meant to use in a VM, by the way.
You probably don't want to run this just the way it's set up right now.
Or you can just download and look at the code and do it however you want like we did on
a Raspberry Pi.
Just one.
But anyways, it's a menu driven system.
So we've got two of the attacks built into there.
The two attacks that we talked about today.
The first one is ‑‑ I can't even see it from over here.
So the peeping Tom attack.
Are we doing that one first?
Yeah.
Peeping Tom.
No, the iPoner.
Okay.
So we'll go ahead and do the iPoner first.
So you go ahead and you select option two.
It's going to tell you a little brief description of what the attack is going to do.
So you kind of have an idea of what's going on.
Can you guys see that at all?
Okay.
Let's make the font bigger here.
Sorry.
There we go.
Jerk.
That's right.
How about that?
Is it any better?
Even bigger, I would say.
Okay.
We'll try it.
Huge.
I know you ‑‑
Size matters, right?
Size matters.
Huge.
Says the lady in the front right here in the striped skirt.
This is as big as it goes, though.
No more medicine for me.
Anyway.
So we're going to go ahead and do this.
Anybody notice her limp when she walked in the room today?
That was me.
Just saying.
Use your imagination.
TMI, buddy.
Jesus.
It was this crap they made me drink.
I know.
I know.
I know.
You took one from the team for me, too.
That was yours.
Yours put me over the edge.
Yeah.
Okay.
So anyways.
Menu driven system.
Cool pictures.
ASCII art.
We like that.
How many people colorize with Ruby?
Nobody.
Thank you.
It looks really cool, though, right?
It does.
I mean, old school.
Kind of neat.
Josh hates colors.
I like colors.
Anyway.
So start.
How hard is that?
Right?
So you type in your wireless interface.
In this case we're using WLAN 1.
We're going to tell it the network name that we want to clone.
So whatever company you're working for, you want to type that in there.
We're using what?
My computer?
My company rules.
Okay.
My company rules.
When you guys see this, start connecting to it.
Please.
Seriously, we're not going to steal your stuff.
So if you want to spoof a MAC address, you can.
We put that functionality in here because it's kind of fun to do.
If you just hit enter, it's going to take whatever your card's default MAC address is.
You can select a channel if you'd like.
If you hit enter, it's going to default to 9.
I don't know why I picked 9.
I just did.
But anyways.
So it's going to go ahead and start a bunch of stuff.
Basically what it's starting is it's starting a radius server, free radius, if you guys
have ever used that.
On the top left there, that's your free radius.
On the bottom left corner, it's your web server.
That's going to show you the captive portal.
And that's all in Ruby as well.
It's using I think it's called web brick.
So you'll see as people are trying to hit your portal.
Over on the right‑hand side, you're going to see host AP, and that's basically if you
want to see from an access point standpoint, you're going to see all the people associating
with your access point.
You're going to get their MAC addresses and that kind of information.
And the big screen in the middle is basically your captive portal creds, which is what you're
waiting to pop up.
That's when people have made the connection, they've accepted your cert, they've been forwarded
your captive portal, and then they're going to type in their credentials again.
So hopefully somebody is doing it.
It looks like we've got plenty of activity here.
I will say you can type in whatever you want.
So if you want everybody in here to see it, go ahead and do it now.
Just try not to make it totally horrible.
And again, this is IOS only.
So if you're trying this with your Android device, it won't work.
It's MSCHAP v2 vulnerability.
It's not going to work.
It's hacked.
I'm a loser.
You're not a loser.
You're good.
You're good.
Nobody has done something really offensive.
Bring it.
This is the kind of place you'd expect it.
Of course, everybody is afraid, right?
So this is it.
If you're doing a penetration test in a corporate environment that's using WPATU enterprise,
which most of them do, you spin this tool up and you wait 10 minutes or 15 minutes until
‑‑ Somebody fucked your mom.
Oh.
I fucked your mom.
I know.
I've tried to talk to her about that a few times, but she does her own thing.
I encourage her.
Go for it.
Good for you.
Just remember to do the pull and pray.
Okay?
All right.
So the next attack is the peeping Tom one.
So the first one only works in IOS and OXS because that's the only people that are screwing up
MS Chat V2 at this point in time.
So the second attack is peeping Tom.
That works on basically everything that supports GTC.
So the same type of thing.
You hit start.
You type in your wireless interface that you've got plugged into your machine.
That's my company rules, right?
My company rules is the ‑‑ my company rules.
Yeah.
You're right.
And then if you want to spoof a MAC address, no, we're not going to in this case.
We go ahead and hit enter.
We don't care what channel we're using.
And basically the same thing.
You've got your radio server starting up so you can see what's going on from that perspective.
You've got your AP starting up so you can see from that perspective.
And then you've got your GTC passwords.
The cool thing about this, so if you've ever connected to my company rules before and you've
accepted the cert or whatever, it's automatically going to send your stuff over now to this
one because your Android devices are going to ask you to accept the cert.
It's just going to automatically send us your stuff.
Yeah.
And all you people that are already connected with IOS, as soon as we spun this up, it
automatically sends your password over without doing anything because you've already accepted
that same cert.
Otherwise you would have to accept the cert.
But this is just a demonstration.
Fuck the police.
I like that.
Monkey balls.
Who did that?
Raise your hand.
You're my hero.
All right.
We've got monkey balls.
We love you.
Thank you.
So anyway, yeah, I mean, it's just a great way to see exactly how the attack works right
in a row.
Right?
First attack was you logging into your company.
The second attack is no ‑‑ it's not even asking you for your credentials.
Again, it's just logging in if you had an IOS device and you did that.
So how many people are familiar with air crack suite?
Everybody's used that, right?
You know the thing they got where it just automatically responds to any probe request.
So imagine if you were just responding to anybody's probe request in this scenario that
have connected to a corporate network before.
You know, and you're spinning up a fake corporate network, it's going to automatically start
sending you their logins and passwords that they used in the past, which is kind of a
big deal.
Just saying.
Yeah.
So, anyways, I'll pass you back over here to Joshy Poo, the guy that didn't drink his
alcohol.
Boo.
Boo.
Don't hate me.
I'm sorry.
You can beat me all later, I swear.
We've got five minutes, Holmes.
Okay.
I get that right.
No, you can just do it.
Okay.
You take my word for it.
All right.
Where are we?
Let's see.
We're beeping.
All right.
How about that?
Okay.
So let's talk a little bit about how we came about with this.
What was our goal and how do we achieve it?
So historical perspective.
The first thing we decided was, wow, you know, Josh Wright and who's the guy that did the
divide and conquer talk?
Anyway.
Moxie.
It was Moxie, right?
I think.
Anyway.
Yeah.
Anyway.
So there's been a lot of really good talks on how to crack passwords from WPA2 or crack
the actual hash.
And I don't have access to a giant web infrastructure or a giant virtual infrastructure online or
10,000 GPUs or 10,000 PS2s or whatever the cool kids are doing these days.
So we really wanted to make it easy and we're just like, you know, we're lazy.
Cracking caches is too hard.
There's got to be another way to do this.
Can we just trick the client into giving it to us?
That way establishing some kind of full connection and maybe just, you know, hand it over directly
to us so we don't have to crack it.
Obviously that's what you guys just saw.
So then we started going down the path of how WPA2 works.
Well, like you guys saw, what if we just accepted everything that RADIUS actually got
sent and sent it back?
Well, then you saw that in that there was actually some problems with that where MSChat
B2 actually worked correctly and just dumped the connection.
So we started playing with that idea of, you know, what if RADIUS just said everything,
everything was okay.
Can we get the client, can we trick the client somehow into making a full connection with
us and then do something with them later to get the password?
And so basically we started with some past work.
Josh Wright's done some really good work on patching RADIUS to actually output the
hashes directly in the RADIUS debug file so then you could take those hashes and try to
crack them offline or do one of the other different attacks or brute force it or whatever
you want to do, which again was too hard for us.
But we started kind of with that and then we moved on from there and said, well, you
know, what else do we need to do with RADIUS?
And I basically put Jim in a little box and I didn't let him come out for air for two
or three weeks, a month, something like that, a month.
And I started going through every single module and we said, well, what about that
one?
What about that one?
What if we send this back here?
And a lot of people seemed kind of interested in that and how we figured that out.
And neither of us are coders at all, right?
We started with somebody else's work.
We didn't want to crack the hashes.
We did this tool in Ruby that's really kind of scripty.
And then we started working with somebody else's work.
So how can we do this to make this easy?
And again, starting with this work from ‑‑ great work from others.
And it yielded unexpected discoveries, right?
We ended up finding a vulnerability, as far as we know, for iOS that has never been reported.
You know, when we told Apple about it, obviously they told us to get stuffed.
But in so many words.
But you know, that it was just random.
And I really encourage you guys that are interested in this kind of stuff to test things that
people say work, right?
You don't have to necessarily write a buffer overflow or stand on your head in your naked
cartwheels or whatever it is to take you to get where you want to go.
But just test things that you think should work that way.
If they say it should work that way, test it.
Make sure.
You know, there were times in my ‑‑ and I was like, well, MSCHAT V2 doesn't work that
way.
There's no way that will work.
But here it is.
Undiscovered discoveries here.
So, you know, no, we didn't invent time or the flux capacitor or anything really cool
like that.
But what we did come up with is this patch, again, that I sold ‑‑ I put him in this
box.
And he came up with this crazy patch for radius that allowed us to test this.
And allowed us to see what would happen when we just accepted everything in certain ways.
And so that was where the meat and potatoes of what we're giving to you guys today other
than, you know, anybody ever set up wireless attacks, it takes some time.
One minute.
Okay.
Good.
Perfect.
It can take some time to set that stuff up.
So what we're giving you guys today is the patch so you can test this against your own
infrastructures or wherever else you want to test it.
And some easy ways to set up the tools really, really quickly.
So I'm going to pass over here, Jim, to the last slide.
He's going to tell you where to get some of this stuff.
Last 30 seconds.
First 30 seconds.
So LouBooty.com.
It's basically just going to forge you on to our GitHub site.
You can download the tool.
You can download the patch.
It has an installer script that you can run.
It's called sysprep.
It's basically just going to do an app get and download some of the libraries that you're
going to need and just makes things a lot easier for you.
But again, read the code.
Make sure you understand what's going on before you run it against your guys' own.
I promise it won't send your passwords over to us.
You should check, though.
Yeah, literally check.
And then the picture is just a jab at what's going on in the media today.
Stop spying on me.
I don't do anything cool.
I promise.
So anyways, that's our talk.
We appreciate you guys taking the time to listen to us.
